System and method to provide server control for access to mobile client data

ABSTRACT

Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Ser. No. 61/605,792filed on Mar. 2, 2012 and incorporated herein by reference in itsentirety. This application is a Continuation application of co-pendingU.S. patent application Ser. No. 13/570,816 filed on Aug. 9, 2012, whichis a Continuation application of co-pending U.S. patent application Ser.No. 13/555,905 filed on Jul. 23, 2012, both incorporated herein byreference in their entirety.

BACKGROUND

1. Technical Field

The present invention relates to controlling access to data, and moreparticularly to providing server control for access to client data on amobile device.

2. Description of the Related Art

Over the last few years, work environments have changed from anoffice-centric model to an increasingly mobile model in which employeesaccess enterprise data remotely though various channels from a widerange of devices. In addition to access from laptops that connect toenterprise networks through encrypted channels, such as virtual privatenetworks (VPNs), employees are increasingly using other mobile devices,such as smartphones or tablet computers. Such mobile devices create asignificant risk of data loss due to accidental loss or theft. Mobilephones are especially at risk, as they are usually carried throughoutthe day, even in situations where other mobile devices, like laptops,are not typically carried.

Current approaches for preventing data loss include passwords for deviceaccess, redaction of information, and encryption of information.However, there exists a tradeoff between security and usability. Forexample, a device lock may be activated on a mobile phone after 15minutes of inactivity. While 15 minutes may be too frequent in somesituations (e.g., home), 15 minutes may be too long in others (e.g.,public bar) to effectively prevent the loss of sensitive information.None of the present approaches for preventing data loss sufficientlyaddress both security and usability of a mobile device.

SUMMARY

A method for protecting a data item includes, upon initiation oftransfer of the data item from a server to a client device, determininga sensitivity score and a current protection level of the data item. Apolicy is applied to determine an appropriate protection for the dataitem based upon the sensitivity score and the current protection level.A protected data item is provided to the client device by applying theappropriate protection to the data item.

A method for protecting a data item includes, upon initiation oftransfer of the data item from a server to a mobile device, determininga sensitivity score and a current protection level of the data itemusing a data protection server. A policy is applied to determine anappropriate protection for the data item using the data protectionserver, wherein the appropriate protection is based upon the sensitivityscore, the current protection level, and features of at least one of thedata item and the mobile device. A protected data item is provided tothe mobile device by applying the appropriate protection to the dataitem using the data protection server.

A method for accessing a protected data item includes, responsive to arequest to access the protected data item, determining a level ofconfidence that a user of a client device is an authorized user of theclient device to determine eligibility of the user to access theprotected data item. The level of confidence is based on one or more ofa context of the client device, an authentication history of the clientdevice, and an access history of the user of the client device. Inaccordance with the level of confidence, access to the protected dataitem is provided to the client device such that a level of confidenceneeded to access the protected data item is based upon a sensitivityscore of the protected data item.

A method for accessing a protected data item includes, responsive to arequest to access the protected data item, determining a level ofconfidence that a user of a mobile device is an authorized user of themobile device to determine eligibility of the user to access theprotected data item using a data protection server. The level ofconfidence is based on one or more of a context of the client device, anauthentication history of the client device, and an access history ofthe user of the client device. In accordance with the level ofconfidence, access to the protected data item is provided to the clientdevice using the data protection system such that a level of confidenceneeded to access the protected data item is based upon a sensitivityscore of the protected data item.

A system for protecting a data item including a sensitivitydetermination module configured to determine a sensitivity score and acurrent protection level of the data item upon initiation of transfer ofthe data item from a server to a client device. A policy decision moduleis configured to apply a policy to determine an appropriate protectionfor the data item based upon the sensitivity score and the currentprotection level. A secure migration manager module is configured toprovide a protected data item to the client device by applying theappropriate protection to the data item.

A system for protecting a data item includes a sensitivity determinationmodule configured to determine a sensitivity score and a currentprotection level of the data item using a data protection server uponinitiation of transfer of the data item from a server to a mobiledevice. A policy decision module is configured to apply a policy todetermine an appropriate protection for the data item using the dataprotection server. The appropriate protection is based upon thesensitivity score, the current protection level, and features of atleast one of the data item and the mobile device. A secure migrationmanager module is configured to provide a protected data item to themobile device by applying the appropriate protection to the data itemusing the data protection server.

A system for accessing a protected data item includes a policy decisionmodule configured to determine a level of confidence that a user of aclient device is an authorized user of the client device to determineeligibility of the user to access the protected data item in response toa request to access the protected data item. The level of confidence isbased on one or more of a context of the client device, anauthentication history of the client device, and an access history ofthe user of the client device. An authentication manager module isconfigured to provide access to the protected data item to the clientdevice in accordance with the level of confidence, such that a level ofconfidence needed to access the protected data item is based upon asensitivity score of the protected data item.

A system for accessing a protected data item includes a policy decisionmodule configured to determine a level of confidence that a user of amobile device is an authorized user of the mobile device to determineeligibility of the user to access the protected data item using a dataprotection server in response to a request to access the protected dataitem. The level of confidence is based on one or more of a context ofthe client device, an authentication history of the client device, andan access history of the user of the client device. An authenticationmanager module is configured to provide access to the protected dataitem to the client device using the data protection system in accordancewith the level of confidence, such that a level of confidence needed toaccess the protected data item is based upon a sensitivity score of theprotected data item.

These and other features and advantages will become apparent from thefollowing detailed description of illustrative embodiments thereof,which is to be read in connection with the accompanying drawings.

BRIEF DESCRIPTION OF DRAWINGS

The disclosure will provide details in the following description ofpreferred embodiments with reference to the following figures wherein:

FIG. 1 is a block/flow diagram of a method for transferring a data itemfrom a server to a mobile device, in accordance with one illustrativeembodiment;

FIG. 2 is a block/flow diagram of a system for transferring a data itemfrom a server to a mobile device, in accordance with one illustrativeembodiment;

FIG. 3 is a block/flow diagram of a system for controlling access to adata item stored on a mobile device, in accordance with one illustrativeembodiment;

FIG. 4 is a block/flow diagram of a method for controlling access to adata item stored on a mobile device, in accordance with one illustrativeembodiment;

FIG. 5 is a block/flow diagram of a method for gathering additionalauthentication information from a mobile device, in accordance with oneillustrative embodiment; and

FIG. 6 is a block/flow diagram of a method for determining usereligibility for accessing an encrypted data item on a mobile device, inaccordance with one embodiment.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In accordance with the present principles, systems and methods forprotecting sensitive data items and server and context based accesscontrol of these sensitive data items are provided. A server, such as adata protection system, may be utilized to ensure protection of the dataitem while also providing an opportunity to increase usability of themobile device. For instance, the data protection system may adjust itsaccess decisions based on the current context of the client device, thecurrent context of the user, the level of confidence in the user'sidentity, etc. Preferably, the data protection system is implementedbetween a server and a mobile device, such as a proxy.

In one embodiment, a data item may be protected before being transferredfrom a server to a mobile device using the data protection system. Thedata protection system may determine a sensitivity (e.g., sensitivityscore) and other features of the data item. Based on one or more of thesensitivity score of the data item, the features of the data item, and apolicy controlling access to the data item, the data protection systemmay determine whether the data item needs to be protected. Thesensitivity score may be based on one or more of the value of the dataitem to any given individual or organization, the cost of recreating thedata item if destroyed or modified, and the potential losses causeddirectly or indirectly by the data item being made available tonon-authorized individuals or organizations. Other factors indetermining the sensitivity score and the need for protection of thedata item are also contemplated.

In a preferred embodiment, protection includes encrypting the data item.The encrypted data item may be sent to the mobile device. In otherembodiments, for example, where the mobile device is unable to processthe encrypted data item, the data protection system may store theencrypted data item and send a corresponding link to the mobile device.In still other embodiments, the data item may be redacted or otherwiseobfuscated. In other embodiments, the protected data item may be anaggregate protected data item including multiple versions of the dataitem that are protected with different methods of protection (e.g., theunmodified data item encrypted with a unique encryption key and a set ofredacted versions of the data item resulting in different sensitivityscores, each encrypted with unique encryption keys). Preferably, onlythe protected data item is stored on the mobile device and the originalversion of the data item is only temporarily available in the mobiledevice memory.

In another embodiment, the protected data item stored on the mobiledevice may be accessed using the data protection system. The dataprotection system may evaluate whether the user of the mobile deviceaccessing the encrypted data item is the authorized user of the mobiledevice. This evaluation may be based on one or more of authenticationhistory, method of authentication, confidence in that method ofauthentication, risk of device loss, context of the mobile device,context of the user, etc.

In a preferred embodiment, evaluation of the user may be based on alevel of confidence score that indicates how confident the dataprotection system is that the current interaction with the mobile deviceis performed by the authenticated user of the mobile device. Eachauthentication option (e.g., simple pass code, full password,biometrics, etc.) may be assigned a score. The accumulatedauthentication score of the user may be compared to a minimumauthentication score to determine the eligibility of the user in thecurrent context. Depending on the evaluation, the data protection systemmay decide if the user is currently eligible to access the protecteddata item. In one embodiment, the data protection system may requireadditional authentication information by sending authenticationchallenges to the mobile device and receiving responding authenticationinformation.

In a preferred embodiment, the data protection system may send adecryption key to the mobile device for accessing the protected dataitem or for accessing a redacted version of the data item. Preferably,the decryption key is subsequently erased. If the protected data item isan aggregate protected data item including multiple versions of the dataitem that are protected with different methods of protection, the dataprotection system may send only one decryption key that only allowsaccess to a version that is appropriate for the current device context(e.g., only allowing access to a highly redacted version of the dataitem in a device context that is considered insecure like an airport).It should be appreciated that the data protection system may augment theprotected data item by adding new versions of the data item protected bya different method based on the current context if it is not alreadypresent in the aggregate protected data item.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “module” or “system.” Furthermore,aspects of the present invention may take the form of a computer programproduct embodied in one or more computer readable medium(s) havingcomputer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing. Computer program code for carrying out operations foraspects of the present invention may be written in any combination ofone or more programming languages, including an object orientedprogramming language such as Java, Smalltalk, C++ or the like andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The program codemay execute entirely on the user's computer, partly on the user'scomputer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer or entirely on the remotecomputer or server. In the latter scenario, the remote computer may beconnected to the user's computer through any type of network, includinga local area network (LAN) or a wide area network (WAN), or theconnection may be made to an external computer (for example, through theInternet using an Internet Service Provider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks. The computer program instructions may also beloaded onto a computer, other programmable data processing apparatus, orother devices to cause a series of operational steps to be performed onthe computer, other programmable apparatus or other devices to produce acomputer implemented process such that the instructions which execute onthe computer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The present principles relate to server-based techniques for limitingthe risk of loss of sensitive data on a mobile device by exercisingcontrol over the authentication needed to access the data stored on themobile device. The present principles provide server-based protectionbefore the transfer of a data item from a server to a mobile device, forsecuring the protected data item while stored on the mobile device, andfor the accessing of the protected data using the mobile device.

Referring now to the drawings in which like numerals represent the sameor similar elements and initially to FIG. 1, a method 100 fortransferring a data item from a server to a mobile device isillustratively depicted in accordance with one illustrative embodiment.The method 100 may transfer the data item or, if appropriate, aprotected version of the data item from a server to a mobile device. Theserver includes any computing apparatus that provides services to aclient device and is not limited to any particular architecture,location or operating environment. The mobile device includes any devicewhich obtains data from a server, such as a client computing device. Themobile device is not limited to any particular architecture, location oroperating environment, and may be either stationary or mobile. Forexample, in one particularly useful embodiment, the mobile device mayinclude one or more of a laptop, smartphone, tablet computer, personaldigital assistant, game console, media player, camera, navigationdevice, and the like. It is to be understood that the present principlesmay be applied to any data item that can be monitored and manipulated asit is transferred between a server and a mobile device.

In block 102, upon initiating the transfer of a data item from a serverto a mobile device, a sensitivity score of the data item may bedetermined. In one embodiment, initiating the transfer of a data itemmay include a request from the mobile device due to one or more of,e.g., a user request, a scheduled request, a response to an inputreceived from one or more sensors of the mobile device, a response to anexternal event of another device, etc. In other embodiments, initiatingthe transfer of a data item may include the server sending the data itemdue to one or more of, e.g., a request from the mobile device, a requestfrom another device, information received from another device, ascheduled transmission, etc. Other methods of initiating the transfer ofa data item are also contemplated.

In a preferred embodiment, determining a sensitivity score of a dataitem includes determining sensitivity scores for a list of classes ofdata on a server, determining a class of the data item, and assigningthe sensitivity score corresponding to the class of the data item as thesensitivity score of the data item. The sensitivity score may be basedon one or more of the value of the data item to any given individual ororganization, the cost of recreating the data item if destroyed ormodified, and the potential losses caused directly or indirectly by thedata item being made available to non-authorized individuals ororganizations. Other factors in determining the sensitivity score andthe need for protection of the data item are also contemplated. It is tobe understood that other methods of determining a sensitivity score of adata item may be applied as is known in the art.

In another embodiment, upon initiation of transfer of a data item,features of the data item may also be determined, such as, for example,document type, author, indicators (e.g., confidentiality flags), etc. Instill other embodiments, upon initiation of transfer of a data item, acurrent protection level of the data item may be determined, such as,e.g., whether the data item is currently already protected (e.g.,encrypted or redacted), information about the mobile device (e.g., doesthe mobile device provide appropriate policies), etc. It should beunderstood that the data item may be composite; for example, the presentprinciples may process an email as one unit or may process each portionof the email separately (e.g., subject line, body, attachments, etc.).In still other embodiments, determining a sensitivity score of the dataitem may further include determining a user's context, such as theuser's geographic location.

In block 104, it is determined whether the data item is to be protected.Preferably, a policy is applied to determine whether the data item is tobe protected. The policy may base its decision on one or more of thesensitivity score of the data item, features of the data item, metadataabout the data item, etc. Other factors are also contemplated.

In block 106, if it is determined that the data item does not needprotection, the data item may be transferred to the mobile devicewithout further processing.

If it is determined that the data item does need protection, protectiontechniques may be applied to the data item. In a preferred embodiment,protection techniques may include encryption. However, other means ofprotection are also contemplated, such as, for example, redaction andother invertible and non-invertible obfuscation techniques. Othermethods of protections are also contemplated. Multiple protectiontechniques may be applied on different copies of the data item,resulting in an aggregated protected data item that includes a set ofdifferently protected versions of the data item. In some embodiments,protection techniques are applied to all data items.

In block 108, an encryption key for the data item is determined. Itshould be appreciated that while the present principles refer to anencryption key, other forms of protection may be implemented, such as aredaction function, obfuscation function, or similar instruction forprotecting the data item. In a preferred embodiment, a unique encryptionkey is used for each application of a protection technique applied onthe data item. Other encryption techniques are also contemplated. Forinstance, in other embodiments, encryption keys may be reused byimplementing a predefined method. For example, one encryption key perdata item type may be used. In another example, one encryption key for apredetermined time period may be used (e.g., one encryption key perday). In yet another example, the same encryption key may be used forall data items. The determined encryption key may be stored for futureuse. In block 110, an encrypted version of the data item is createdusing the encryption key. The encryption may be applied as is known inthe art.

In another embodiment, in block 108, multiple encryption keys may bedetermined and applied to multiple copies of the data item to providefor an aggregate protected data item. Preferably, the aggregateprotected data item includes multiple copies of the data item eachprotected by different protection methods. Each individually protecteddata item of the aggregate protected data item may be protected asappropriate to allow access according to different contexts (e.g., aheavily redacted version permissible to be viewed everywhere and alightly redacted version that may only be viewed in locations with somelevel of access control). Each individually protected data item may alsobe assigned with an individual sensitivity score that may be lower thanthe sensitivity score of the data item if the data item was redactedduring the application of the protection.

In block 112, it is determined whether an application on the mobiledevice to be used to access the data item is capable of processing dataitems encrypted using the encryption technique applied in block 110. Anapplication of the mobile device may include, e.g., the mobile device asa whole, a specific program, a container, a virtual machine, etc. Forexample, an application capable of processing the encrypted data itemsmay include an email program modified to implement the encryptiontechnique. If the application used on the mobile device is capable ofprocessing the encrypted data item, in block 114, the encrypted dataitem may be transferred to the mobile device.

If the application used on the mobile device is not capable ofprocessing the encrypted data item (e.g., a standard email client), inblock 116, the encrypted data item may be stored for later processingand a unique identifier may be chosen to identify the encrypted dataitem. In block 118, a newly created data item, which includes a linkcontaining the unique identifier for the encrypted data item, may besent to the mobile device instead of the original data item. In apreferred embodiment, the link may include a hyperlink that can beclicked, resulting in an automatic start of an application running onthe mobile device that will allow displaying the encrypted data item. Inanother embodiment, the newly created data item may include a messageinstructing the user to open an appropriate application and anidentification number to be entered to identify the stored encrypteddata item. The identification number displayed in the message may be thepreviously chosen unique identifier or a different identification numbermore suitable for manual entry. In still another embodiment, theencryption key, which is known to the user (e.g., password), and theencryption method are provided by applications of the mobile device and,thus, the application may allow access to the data item without furtherserver interaction.

Referring now to FIG. 2, a system for transferring data items from aserver to a mobile device is illustratively depicted in accordance withone embodiment. A user of a mobile device 202 may initiate the transferof a data item stored on server 206 to the mobile device 202. The mobiledevice 202 includes any device which obtains data from a server, such asa client computing device. The mobile device 202 is not limited to anyparticular architecture, location or operating environment, and may beeither stationary or mobile. For example, the mobile device 202 mayinclude one or more of a laptop, smartphone, tablet computer, personaldigital assistant, game console, media player, camera, navigationdevice, and the like. The server 206 is a computing apparatus thatprovides service to a client device, and is not limited to anyarchitecture, location or operating environment. For instance, server206 may include, e.g., an email server, calendar server, etc. It isnoted that the present principles may be applicable to the transfer ofany data item that can be monitored and manipulated between a mobiledevice 202 and a server 206.

In one embodiment, initiating the transfer of a data item may include arequest from the mobile device 202 due to one or more of, e.g., a userrequest, a scheduled request, a response to an input received from oneor more sensors of the mobile device 202, a response to an externalevent of another device, etc. In other embodiments, initiating thetransfer of a data item may include the server 206 sending the data itemdue to one or more of, e.g., a request from the mobile device 202, arequest from another device, a scheduled transmission, etc. Othermethods of initiating the transfer of a data item are also contemplated.

The mobile device 202 may connect to a mobile network connector 204 toaccess data items and other resources stored in server 206. The mobilenetwork connector 204 may be the interface to a network provider (e.g.,mobile service provider). Connection from the mobile device 202 to themobile network connector 204 may include authentication, encryption,etc. to secure communication and prohibit access from unauthorizeddevices. The mobile network connector 204 may forward communication tothe server 206. Data items received from the server 206 to the mobiledevice 202 pass though the mobile network connector 204, which maymodify the data items sent (e.g., by encrypting the data items while intransit). The connection between the mobile device 202 and the server206 may be established using the mobile provider infrastructure 208. Theconnection may include various components operated by the serviceprovider or the mobile device 202, such as, for example, mobile networkantennas, Wi-Fi antennas, backbone networks, etc. Alternativearchitectures implementing the communication between the mobile device202 and the server 206 have also been contemplated.

The mobile service interface 210 may modify the data items from theserver 206 to translate them from one data format to another. Forexample, the mobile service interface 210 may modify a data item usingstandard protocols to allow use on a mobile device 202 using a specificprotocol. In addition, the mobile service interface 210 may also modifydata items transferred from the server 206 to the mobile device 202according to the data protection system 212. The data protection system212 may apply appropriate protections on data items transferred from theserver 206 to the mobile device 202.

The data protection system 212 preferably includes one or moreprocessors 228 and memory 214 for storing programs, applications, data,etc. The data protection system 212 may include one or more displays 230for viewing, which may also permit a user to interact with the dataprotection system 212 and its components and functions. This may befurther facilitated by a user interface 232, which may include akeyboard, mouse, joystick or any other peripheral or control to permituser interaction with the data protection system 212. It should beunderstood that the functions and components of the data protectionsystem 212 may be integrated into one or more systems. In oneembodiment, the data protection system 212 may implemented as a plug-infor an existing mobile platform infrastructure. In another embodiment,the data protection system 212 may be implemented as an additional,discrete component, such as, e.g., a proxy for the data item accessprotocol used to communicate between the server 206 and the mobiledevice 202. Other implementations of the data protection system 212 arealso contemplated.

The memory 214 may store secure migration manager module 216, configuredto protect data items transferred from the server 206 to the mobiledevice 202 to allow control of access, as appropriate. Upon initiationof transfer of a data item, sensitivity determination module 218 isconfigured to process the data item to determine its sensitivity score.In a preferred embodiment, determining a sensitivity score of a dataitem includes determining a value for different classes of data to aserver 206, determining the class of the data item, and assigning thecorresponding sensitivity score as the sensitivity score of the dataitem. Other implementations of determining the sensitivity score of adata item are also contemplated, as will be appreciated by one ofordinary skill in the art. In one embodiment, upon initiation oftransfer of a data item, features of the data item may also bedetermined, such as, e.g., document type, author, confidentiality flags,etc. In still other embodiments, upon initiation of transfer of a dataitem, a current protection level of the data item may be determined,such as, e.g., whether the data item is currently already protected(e.g., encrypted or redacted), information about the client (e.g., doesthe client provide appropriate policies), etc. It is noted that the dataitems may be composite. For example, the data item may include an emailto be processed as one unit or to be processed in portions (e.g.,subject line, body, attachments, etc.). The information returned bysensitivity determination module may be stored in data item store 220for future access.

The policy decision module 222 applies a policy controlling access tothe data item to determine whether the data item is to be protected(e.g., encrypted). The policy may base its determination on one or moreof the following: sensitivity score of the data item determined bysensitivity determination module 218, data item content, metadata of thedata item, information about the mobile device 202, the capabilities ofthe mobile device 202, etc.

If the policy decision module 222 determines that the data item does notneed to be protected, the data item may be transferred to the mobiledevice 202 without any further processing. If the policy decision module222 determines that the data item does need protection, appropriateprotections are applied on the data items. In a preferred embodiment,protecting data items includes encrypting the data items. However, it isnoted that other implementations of protecting data items are alsocontemplated. For example, applying appropriate protections on dataitems may include redaction, password access, etc.

The secure mobile migration manger module 216 may then encrypt the dataitem by determining an encryption key. It should be appreciated that thepresent principles are not limited to determining an encryption key, butmay be implemented using other forms of protection, such as a redactionfunction, obfuscation function, or similar instruction. Preferably, aunique encryption key is used for each data item. Other encryptiontechniques are also contemplated. In some embodiments, encryption keysmay be reused according to a predefined arrangement. For example,encryption keys may be assigned by data item type, by time period, orthe same encryption key may be used for all data items. The encryptionkey may be stored at decryption key store 224 for future use. The securemigration manager module 216 may encrypt the data item using theencryption key. In one embodiment, the decryption key may be encryptedwith a public key unique to the mobile device 202.

In another embodiment, secure migration module 216 may determine andapply multiple encryption keys to multiple copies of the data item toprovide an aggregate protected data item. Preferably, the aggregateprotected data item includes multiple copies of the data item eachprotected by different protection methods. Each individually protecteddata item of the aggregate protected data item may be protected asappropriate to allow access according to different contexts (e.g., aheavily redacted version permissible to be viewed everywhere and alightly redacted version that may only be viewed in locations with somelevel of access control). Each individually protected data item may alsobe assigned with an individual sensitivity score that may be lower thanthe sensitivity score of the data item if the data item was redactedduring the application of the protection.

If the accessing application of the mobile device 202 is capable ofprocessing the encrypted data item, the encrypted data item may betransferred to the mobile device 202. The accessing application mayinclude, e.g., the mobile device 202 as a whole, a specific program, acontainer, a virtual machine, etc. If the accessing application of themobile device 202 is not capable of processing the encrypted data item,the encrypted data item may be stored in the encrypted data item store226. Each stored encrypted data item may be assigned a unique identifierto identify the encrypted data item. The unique identifier may also beused to retrieve the appropriate decryption key from decryption keystore 224. In one embodiment, a newly created data item may be sent tothe mobile device 202 including a link to the encrypted data item.Preferably, the link includes a hyperlink that can be clicked toautomatically start an application on the mobile device that willdisplay the encrypted data item. In other embodiments, the newly createddata item may include a message with an ID. The message may instruct theuser to open an appropriate application on the mobile device 202 andenter an identification number. The identification number may includethe unique identifier or a different identifier more suitable for manualentry. In still other embodiments, the encryption key is known to theuser and the encryption is provided by an application on the mobiledevice 202 to allow access to the encrypted data item without furtherserver interaction.

Referring now to FIG. 3, a system 300 for controlling access to a dataitem stored on a mobile device is illustratively depicted in accordancewith one embodiment. Access to the encrypted data item may be initiatedby the mobile device 202. Preferably, access to the encrypted data itemmay be initiated by the data access app 302 of the mobile device 202. Inone embodiment, the data access app 302 is configured to access theencrypted data item directly. In another embodiment, for example, wherethe data access app 302 is unable to process the encrypted data item,the secure viewer app 304 is configured to access the encrypted dataitem. In a preferred embodiment, the secure viewer app 304 is started byactivating a link displayed in the data access app 302. The data accessapp 302 may also provide information to the secure viewer app 304regarding the encrypted data item to be accessed. In other embodiments,the data access app 302 displays an identifier that the user may enterin the secure viewer app 304 to identify the stored encrypted data item.

Upon initiating access to the encrypted data item, the applicationinitiating the access (i.e., data access app 302 or secure view app 304)may determine whether the encrypted data item is stored on the mobiledevice 202. For example, the encrypted data item may already be storedon the mobile device 202 if the user had previously viewed the encrypteddata item or if the encrypted data item was transferred by a backgroundprocess (e.g., data sync). If the encrypted data item is not currentlystored on the device, the application initiating access (i.e., dataaccess app 302 or secure viewer app 304) requests transfer from theauthentication manager module 310 of the data protection system 212. Theencrypted data item store 226 may provide the encrypted data item to themobile device 202 where the encrypted data item was not alreadytransferred to the mobile device 202, such as when a link was sent tothe mobile device 202 instead of the encrypted data item.

Once the encrypted dated item is available on the mobile device 202, theapplication initiating the access (i.e., data access app 302 or secureview app 304) may request the decryption key from the authenticationmanager module 310, which is stored in decryption key store 224 of thedata protection system 212. In one embodiment, the request is sent usingthe mobile provider infrastructure 208 and mobile service interface 210.In another embodiment, the request may be sent directly to theauthentication manager module 310.

The authentication manager module 310 processes the request for thedecryption key by using the policy decision module 222 to determinewhether a user is currently eligible to access the encrypted data item.Based on the determination of the policy decision module 222, theappropriate decryption key may be sent to the mobile device 202. If therequest for the decryption key includes authentication or contextinformation, the authentication and context history store 314 may befirst updated. In one embodiment, content access requests andauthentication information may also be forwarded to a securityinformation manager to provide auditing, alerts, and other automated orhuman reactions to the information.

The policy decision module 222 may determine whether a user is eligibleto view the encrypted data item based on the level of confidence thatthe authorized and authenticated user of the mobile device 202 is thecurrent user of the mobile device 202. In a particularly usefulembodiment, the level of confidence may be represented as an accumulatedauthentication score. Each authentication option (e.g., simple passcode, full password, biometrics, etc.) may be assigned a score and,based on the authentication information provided by the mobile device,the accumulated authentication score may be compared to a minimum scorefor access to the encrypted data item. The level of confidence may alsobe decreased with the amount of sensitive information access on themobile device. In one embodiment, a fixed authentication score may beassigned to each authentication option. In other embodiments, theauthentication score for each authentication option provided by themobile device may be modified based on one or more of a context of theclient device at a time of authentication, contexts of the client devicesince authentication, and an amount of time passed since authentication.For example, in one embodiment, a range of scores may be assigned toeach authentication option provided by the mobile device, such that aparticular authentication score is selected within the range based,e.g., on the confidence of the authentication option. Otherrepresentations of the level of confidence are also contemplated.

In one embodiment, the level of confidence may be determined based onthe time of last successful authentication of the user through themobile device 202 or the method of authentication, such as password orbiometric authentication. In another embodiment, the level of confidencemay be determined based on the confidence of the authentication method(e.g., the confidence of a fingerprint identification, voice recognitionor facial recognition), the trust in the authentication method itself(e.g., based on the difficultly to achieve a false positiveauthentication by exploiting weaknesses in the authentication method),or the sensitivity score of the data item. In still a furtherembodiment, the level of confidence may be determined based on thehistory of data access (e.g., based on volume, topic, averagesensitivity, etc.) or the current context of the device (e.g., currentlocation, nearby devices, etc.). For instance, the history may be usedto determine if the data accessed or current context of the mobiledevice 202 is unusual. The access history 312 may be used to determinewhich encrypted data items were accessed in the past from the mobiledevice 202. The authentication and context history store 314 may be usedto determine the most recent context for the mobile device 202.

In still other embodiments, the level of confidence may be based on acurrent context, such as a context of the mobile device 202 or thecontext of the user. The context of the mobile device 202 may includeone or more of the following: the current location of the mobile device202, the history of previous locations of the mobile device 202, thehistory of previous compromises of the mobile device 202, the ownershipstatus of the mobile device 202 (e.g., corporate owned or personallyowned), the operating system of the mobile device 202, the applicationsinstalled on the mobile device 202, the current patch level of themobile device 202, the presence of known or suspected malware on thedevice, and the security status of the networks which the device isconnected to. Other factors related to the context of the mobile device202 are also contemplated. The context of the user may include one ormore of the following: the management status of the user, the businessrole of the user, the history of the user's access to data of knownsensitivity, the aggregated sensitivity score of all data items accessedby the user, the history of the user in experiencing the loss or theftof devices, and the history of the individual in accessing the device.Other factors for the context of the user are also contemplated.

In yet another embodiment, the level of confidence may be determinedbased on the risk of device loss or unauthorized device access in thecurrent or recent context of the device (e.g., the probability of theftof the device at the current location or at a previously visitedlocation). In a preferred embodiment, the policy decision module 222 mayinclude a risk engine to determine the risk of loss of mobile device 202or the risk of unauthorized access to mobile device 202. In anembodiment, the risk may be based on one or more of the likelihood thatthe data item may be leaked or misused, the potential damage of suchleakage or misuse, etc. The likelihood may be based on one or more ofthe sensitivity score of the data item, the type of the data item, theaccess history 312, the deviation of the most recent access patternsfrom the access history 312 from a longer-term access patterns in theaccess history 312, and the current context of the mobile device 202.The potential damage may be based on one or more of the sensitivityscore of the requested data item, the aggregated sensitivity scores ofthe data items the user has accessed in the past, and the aggregatedsensitivity scores of data items that are currently stored on the mobiledevice 202. In still another embodiment, the risk that the mobile device202 may be lost or mishandled may be based on, e.g., the user's historyof losing or mishandling the mobile device 202. Other risk factors arealso contemplated.

Based on the level of confidence, the policy decision module 222 maydetermine whether access to the encrypted data item is allowed. Ifaccess is allowed, the authentication manager module 310 retrieves thedecryption key from decryption key store 224 and sends it to the mobiledevice 202. If access is not allowed, additional authenticationinformation may be needed. The authentication manager module 310 mayprovide a list to the mobile device 202 including authenticationoptions, a score for each authentication option which indicates thelevel of confidence, and a minimum score to allow access to theencrypted data item.

Unused authentication information may be sent from the mobile device 202to the authentication and context history store 314. For example, theauthentication collector module 308 of the mobile device 202 may provideauthentication information by performing continuous authentication inthe background. The continuously collected authentication informationmay include biometrics (e.g., voice recordings, pictures), usagepatterns that indicate the current user is the authorized user, etc.Other forms of continuously collected authentication information arealso contemplated. In another example, authentication information may beprovided by the authentication challenge response module 306 on themobile device 202 responding to a challenge from the authenticationchallenge module 316. The policy decision module 222 determines whetheraccess is allowed based on the level of confidence from the updatedauthentication information.

If no additional, unused authentication information is available,authentication challenges may be created by the authentication challengemodule 316 based on the list of available authentication options.Preferably, a set of one or more of the least intrusive authenticationoptions is selected that fulfill the minimum authentication score neededfor access to the encrypted data item. A first authentication challengemay be sent from the authentication challenge module 316 to the mobiledevice 202. In some embodiments, the authentication challenge module 316may be configured such that intercepted responses to challenges may notbe reused at a later time to gain unauthorized access to the encrypteddata item. In one embodiment, the authentication challenge module 316may send the challenges without the mobile device 202 requesting adecryption key for an encrypted data item. The challenge may beresponded to by authentication challenge response module 306 and/orauthentication collector 308 on the mobile device 202.

In one embodiment, the authentication challenges may involve userinteraction, such as, e.g., entering a password/PIN, responding tobiometric challenges such as taking a picture or voice recordings, etc.In another embodiment, the challenges may include non-interactiveresponse, such as, e.g., reporting the current location based on globalpositioning system (GPS) coordinates, responding to a signal receivableonly in certain locations to verify that the device is within thelimited signal range, etc. In another example, the authenticationchallenge may include contacting a third party (e.g., a verificationcall to a call center) to respond the challenge. The response may besubmitted by the user on the mobile device 202 to the authenticationmanager module 310 or may be submitted directly by the third party tothe authentication and context history store 314. Other challenges arealso contemplated within the scope of the present principles. In someembodiments, the authentication challenge response module 306 may beintegrated into the app used to access the encrypted data item (i.e.,data access app 302 or secure viewer app 304).

The first additional authentication information response may be added tothe current authentication information of the user and it is determinedwhether the updated authentication information of the user satisfies theauthentication manager module 310. Preferably, the accumulatedauthentication score of the authentication information of the user iscompared to the minimum authentication score for access. If it isdetermined that the updated authentication information is still notsufficient, a second authentication challenge option may be selected andthe process is repeated until access is allowed or no otherauthentication options are available.

If the policy decision module 222 allows access, the appropriatedecryption key may be transferred from the decryption key store 224 tothe mobile device 202. If the policy decision module 222 denies access,the authentication manager module 310 may send a message to the mobiledevice 202 indicting that access is denied until the context (e.g.,location) changes.

In one embodiment, the policy decision module 222 may determine that aredacted version of the data item should be displayed based on the levelof confidence in the user's identity and the current context of themobile device (e.g., in a public location with a high risk ofunauthorized access by “shoulder surfing,” where a third-party observesthe mobile device 202 screen while the authorized user is viewing thedata item). In one embodiment, redaction may be implemented in anaggregate protected data item, including several versions of theencrypted data item at various levels of redaction and each withdifferent decryption keys. The policy decision module 222 may determinean appropriate decryption key according to, e.g., the current level ofconfidence of the user's identity and the current context of the mobiledevice. The data protection system 212 may also send multiple decryptionkeys for all redacted versions of the data items that are permissible tobe accessed given the current level of confidence of the user's identityand the current context of the mobile device to allow the mobile device202 to select one of them. It should be appreciated that the dataprotection system 212 may augment the protected data item by adding newversions of the data item protected by a different method of protectionbased on the current level of confidence of the user's identity and thecurrent context if an appropriate redaction it is not already present inthe aggregate protected data item.

In still other embodiments, the policy decision module 222 may send thedecryption key to the mobile device 202 with a (e.g., warning) message.The message may be displayed to the user before displaying the data itemto inform the user to take proper precautions (e.g., “Please make surenobody can see your screen while viewing this data”). The warningmessage may also mandate a confirmation by the user to acknowledge thatproper precaution is taken to protect the data item (e.g., “Pleaseconfirm that nobody will be able to view this data while it isdisplayed. Your confirmation will be added to the audit logs for thedata.”). User responses to a confirmation may be stored in the accesshistory 312 for later auditing.

Once the encrypted data item is decrypted, the decryption key may besecurely deleted from the mobile device 202. When the decrypted dataitem is closed, the decrypted data item may be securely deleted from themobile device 202. For example, the decrypted data item may be closed byswitching applications on the mobile device 202, locking the mobiledevice 202, activating a timeout screensaver, etc. Other implementationsof closing the decrypted data item are also contemplated.

Referring now to FIG. 4, a method 400 for controlling access to a dataitem stored on a mobile device is illustratively depicted in accordancewith one embodiment. In block 402, the mobile device may initiate accessto an encrypted data item. Preferably, access to the encrypted data itemmay be initiated by a data access app stored on the mobile device. Thedata access app may access the encrypted data item directly. In anotherembodiment, such as where the data access app in unable to process theencrypted data item, a secure viewer app may access the encrypted dataitem. In a preferred embodiment, the secure viewer app may be started byclicking on a link.

In block 404, it is determined whether the encrypted data item isalready on the mobile device. For example, the encrypted data item mayalready be on the device if the user has previously viewed the data itemor if the transfer of the data item is performed by a background process(e.g., a data sync). If the data item is not already on the mobiledevice, in block 406, the data item may be requested from the dataprotection system and transferred to the mobile device. Once theencrypted data item is available on the mobile device, in block 408, adecryption key for the encrypted data item may be requested from thedata protection system (e.g., from authentication manager module 310 ofFIG. 3).

In block 410, it is determined whether a user is currently eligible toaccess the encrypted data item. In a preferred embodiment, usereligibility may be based on a minimum authentication score. Eachauthentication option may be given a score, with the accumulatedauthentication score of the user reflecting the level of confidence thatthe data protection system has in the user's identity. The accumulatedauthentication score may be compared with the minimum authenticationscore to determine whether a user is eligible to access the encrypteddata item. In one embodiment, determining eligibility of a user may beperformed as discussed with respect to FIG. 6. Other methods ofdetermining user eligibility are also contemplated.

If the user was found to be eligible, a decryption key may be sent tothe mobile device. If the user was not found to be eligible, in block412, it is determined whether the data protection system denied accessto the encrypted data item or needs additional authentication. If theserver denied access to the encrypted data item, in block 414, a messagemay be displayed. For instance, the message may indicate that displayingthe data item is not possible in the current context and can be retriedin a different context (e.g., different location). If the server did notdeny displaying the encrypted data item, but instead needs additionalauthentication, in block 416, additional authentication is gathered. Inone embodiment, additional authentication information is gathered asdiscussed with respect to FIG. 5. Once additional authenticationinformation is gathered, the mobile device may again request thedecryption key for the encrypted data item with using the updatedauthentication information (e.g., the updated accumulated authenticationscore of the user), in block 408.

In block 418, a decryption key may be sent to the mobile device todecrypt the encrypted data item. In one embodiment, the decryption keymay be sent to the mobile device according to a level of redaction ofthe data item. For example, a redacted version may be displayed based ona level of confidence in the user's identity and the current context.Preferably, redaction may be implemented by storing several versions ofthe encrypted data items at various levels of redaction and each withdifferent decryption keys. An appropriate decryption key may be sentaccording to the level of redaction.

In another embodiment, a decryption key may be sent with a warningmessage. For example, the warning message may be displayed before thedata item is displayed, informing the user to take proper precautionsto, e.g., avoid unauthorized access to the data through “shouldersurfing.” The warning message may include an acknowledgement, such thatthe user must confirm that proper precaution is taken to protect thedata item. The user's response may be stored for later auditing.

Preferably, after decryption, the decryption key is securely deletedfrom the mobile device. In block 420, the decrypted data item may bedisplayed on the mobile device. In block 422, once the decrypted dataitem is closed, the decrypted data item may be securely deleted from themobile device. For example, the decrypted data item may be closed due toswitching applications, locking the device, timeout activating screensaver, etc. The decrypted data item may be immediately deleted ordeleted at some future time. If the application is re-activated at somelater point in time, the method restarts at block 402.

Referring now to FIG. 5, a method 500 for gathering additionalauthentication information from a mobile device is illustrativelydepicted according to one embodiment. In block 502, the data protectionsystem may request additional authentication information, as in block416 of FIG. 4. Preferably, the data protection system may provide a listto the mobile device including authentication options, an authenticationscore for each authentication option indicating the level of confidencefor that option, and a minimum authentication score needed to access theencrypted data item. In block 504, it is determined if additional,previously unused authentication information is available. If unusedauthentication information is available, in block 506, theauthentication information may be updated with the unused authenticationinformation and sent to the data protection system. In one embodiment,the mobile device may provide unused authentication information bycontinuously collecting authentication information. For example,continuously collected authentication information may includebiometrics, usage patterns, etc. In another embodiment, unusedauthentication information may be provided by the mobile device byresponding to challenges from the data protection system. If the unusedauthentication information is not sufficient, the process restarts atblock 502.

If there is no additional unused authentication information available,additional authentication challenges may be sent to the mobile device togather additional authentication information. In an embodiment, theauthentication challenges may be sent without the mobile devicerequesting a decryption key (e.g., randomly).

In one embodiment, the authentication challenges may involve userinteraction. For example, the challenge may require a user to enter apassword/PIN, respond to biometric challenges such as taking a pictureor voice recordings, etc. In another embodiment, the authenticationchallenges may include non-interactive response. For example, theauthentication challenges may request a report of the current locationbased on global positioning system (GPS) coordinates, respond to asignal receivable only in certain locations to verify that the device iswithin the limited signal range, etc. In another example, theauthentication challenge may include contacting a third party (e.g., averification call to a call center) to respond the challenge. Theauthentication challenge response may be submitted by the user of themobile device to the data protection system or may be submitted directlyby the third party to the data protection system. Other challenges arealso contemplated.

In block 508, a least intrusive subset of authentication challenges maybe selected that fulfill the data protection system's requirement foraccess. In a preferred embodiment, the data protection system'srequirement for access includes the minimum score. In block 510, themobile device responds to the first authentication challenge. Theresponse may include interactive and non-interactive responses to theauthentication challenges. In block 512, the response to the firstauthentication challenge may be added to the authentication informationof the user. In block 514, it is determine whether the authenticationrequirements are fulfilled by the updated set of current authenticationinformation. Preferably, the authentication scores of the firstauthentication challenge is added to the accumulated authenticationscore of the user and compared to the minimum score needed for access tothe encrypted data item. The minimum authentication score may bereceived by the mobile device as part of the request for additionalauthentication information in block 502. In another embodiment, aftergathering one user authentication response, the updated userauthentication information is sent to the data protection system. If theauthentication challenge response is still not sufficient, the processis repeated at block 502.

If the user authentication information satisfies the authenticationrequirements, in block 516, the user authentication information may besent to the data protection system. If the authentication requirementsare not satisfied by the user authentication information, in block 518,the authentication option used is removed from the list of availableauthentication options and the process returns to block 510 for anotherauthentication challenge option on the list.

Referring now to FIG. 6, a method for determining user eligibility foraccessing an encrypted data item on a mobile device is illustrativelydepicted in accordance with one embodiment. In a preferred embodiment,access to an encrypted data item may be based on an authenticationscore. Each authentication option may be assigned a score. The score maybe fixed for each authentication option or may be a range of scores foran authentication option, wherein the score is selected within the rangebased on, e.g., the confidence of the authentication option (e.g., theconfidence in a voice recognition authentication option). This allowsfor assigning a trust in the authentication method itself and anadjustment for the authentication action. Other factors to select theauthentication score within the range are also contemplated. Anaccumulated authentication score based on the user's authenticationinformation may be compared to a minimum required authentication scoreto determine access to the encrypted data item. Other methods ofdetermining user eligibility are also contemplated.

In block 602, the data protection system receives a request from amobile device for a decryption key for an encrypted data item. In block604, it is determined whether the request includes updatedauthentication or context information, such as updated locationinformation. If the request does include authentication or contextinformation, in block 606, the data protection system may be updated. Inone embodiment, the access request and authentication information may beforwarded to a security information manager system to allow audits,alerting and other automated or human reactions to the content accessand authentication information.

The data protection system may collect all pertinent informationrelating to the data item (e.g., metadata, access history for the mobiledevice, authentication and context history, security information, etc.).Based on the collected information, in block 608, it is determinedwhether a user is eligible to access to the encrypted data item based onthe policy controlling access to the data item. The policy may base itsdecision on a level of confidence that the authorized user of the mobiledevice is the current user of the mobile device.

In one embodiment, the level of confidence may be determined based onthe time of last successful authentication of the user through themobile device or the method of authentication, such as password orbiometric authentication. In another embodiment, the level of confidencemay be determined based on the confidence of the authentication method(e.g., the confidence of a fingerprint identification, voice recognitionor facial recognition), the trust in the authentication method itself(e.g., based on the difficultly to achieve a false positiveauthentication by exploiting weaknesses in the authentication method),or the sensitivity score of the data item. In still a furtherembodiment, the level of confidence may be determined based on thehistory of data access (e.g., based on volume, topic, averagesensitivity scores, etc.) or the current context of the device (e.g.,current location, nearby devices, etc.). For instance, the history maybe used to determine if the data accessed or current context of themobile device is unusual. The access history may be used to determinewhich encrypted data items were accessed in the past from the mobiledevice. The authentication and context history store may be used todetermine the most recent context for the mobile device.

In still other embodiments, the level of confidence may be based on acurrent context of, e.g., the mobile device or the user of the mobiledevice. The context of the mobile device may include one or more of thefollowing: the current location of the mobile device, the history ofprevious locations of the mobile device, the history of previouscompromises of the mobile device, the ownership status of the mobiledevice (e.g., corporate owned or personally owned), the operating systemof the mobile device, the applications installed on the mobile device,the current patch level of the mobile device, the presence of known orsuspected malware on the device, and the security status of the networkswhich the device is connected to. Other factors related to the contextof the mobile device are also contemplated. The context of the user mayinclude one or more of the following: the management status of the user,the business role of the user, the history of the user's access to dataof known sensitivity, the history of the user in experiencing the lossor theft of devices, and the history of the individual in accessing thedevice. Other factors for the context of the user are also contemplated.

In yet another embodiment, the level of confidence may be determinedbased on the risk of device loss or unauthorized device access in thecurrent or recent context of the device (e.g., the probability of theftof the device at the current location or at a previously visitedlocation). In an embodiment, the risk may be based on one or more of thelikelihood that the data item may be leaked or misused, the potentialdamage of such leakage or misuse, etc. The likelihood may be based onone or more of the level of confidence and the current context of themobile device. The potential damage may be based on one or more of thesensitivity score of the requested data item, the aggregated sensitivityscore of the data items the user has accessed in the past, and theaggregated sensitivity score of data items that are currently stored onthe mobile device. Those skilled in the art will appreciate that variousmethods can be used to create an aggregated sensitivity score. Someexamples for aggregation include adding all scores, taking the maximumof the scores, or using monotone functions to map the individual scoresinto an aggregated score. Other methods of aggregating the individualscores are also contemplated. In still another embodiment, the risk thatthe mobile device may be lost or mishandled may be based on, e.g., theuser's history of losing or mishandling the mobile device. Other riskfactors are also contemplated.

If access to the encrypted data item is denied, in block 610, a responsemay be sent to the mobile device indicating that access to the encrypteddata item is denied until the context changes. If access is not denied,in block 612, it is determined whether the level of confidence in theuser's identity is sufficient to display the data item. For example, inone embodiment, the accumulated authentication score of the user iscompared to a minimally required authentication score to determineaccess to the encrypted data item. If trust is sufficient to display thedata item, in block 614, the decryption key is sent to the mobiledevice.

If the level of confidence in the user's identity is not sufficient toaccess the data item, in block 616, then additional authenticationinformation may be needed. The data protection system may requestadditional authentication information from the mobile device. In oneembodiment, additional authentication information is gathered asdiscussed with respect to FIG. 5. A list of authentications that willsufficiently increase the level of confidence in the user's identity toallow access to the encrypted data item may be created. In oneembodiment, the list of authentications is created by creating apowerset of all available authentication options. Each authenticationoption may be iteratively added to the current authenticationinformation of the user such that, if the data protection system allowsaccess to the encrypted data item based on the authenticationinformation of the user including the selected authentication option,that selected authentication option may be added to a list of possibleauthentication options sufficient for accessing the encrypted data item.In one embodiment, the list of authentication methods may include thirdparty identity verification of the user's identity. In block 618, thelist of authentication options may be sent to the mobile device.

Having described preferred embodiments of a system and method to provideserver control for access to mobile client data (which are intended tobe illustrative and not limiting), it is noted that modifications andvariations can be made by persons skilled in the art in light of theabove teachings. It is therefore to be understood that changes may bemade in the particular embodiments disclosed which are within the scopeof the invention as outlined by the appended claims. Having thusdescribed aspects of the invention, with the details and particularityrequired by the patent laws, what is claimed and desired protected byLetters Patent is set forth in the appended claims.

What is claimed is:
 1. A system for protecting a data item, comprising:a sensitivity determination module configured to determine a sensitivityscore of the data item and a current protection level of the data itemupon initiation of transfer of the data item from a server to a clientdevice; a policy decision module configured to apply a policy todetermine an appropriate protection for the data item based upon thesensitivity score and the current protection level; and a securemigration manager module configured to provide a protected data item tothe client device by applying the appropriate protection to the dataitem.
 2. The system as recited in claim 1, wherein sensitivitydetermination module is further configured to: determine sensitivityscores for classes of data on the server; determine a class of the dataitem from the classes of data on the server; and assign a sensitivityscore corresponding to the class of the data item as the sensitivityscore of the data item.
 3. The system as recited in claim 1, wherein thepolicy decision module is further configured to determine theappropriate protection based upon one or more of features of the dataitem and features of the client device.
 4. The system as recited inclaim 3, wherein features of the data item include one or more of type,creator, and indicator of the data item.
 5. The system as recited inclaim 3, wherein features of the client device include one or more of ahistory of compromises, an ownership status, an operating system, aversion of the operating system, applications stored on the clientdevice, a patch status, suspected malware, a status of a networkconnected to the client device, and an application of the client deviceused to access the data item.
 6. The system as recited in claim 1,wherein the secure migration manager module is further configured toprovide a link referring to the protected data item.
 7. The system asrecited in claim 1, wherein the initiation of transfer includes at leastone of a request from the client device and a server initiated transferof the data item.
 8. The system as recited in claim 7, wherein therequest from the client device is due to at least one of a user request,a scheduled request, a signal received by a sensor of the client device,and an event external from the client device.
 9. The system as recitedin claim 7, wherein the server initiated transfer is due to at least oneof a request from the client device, a request from a second device,receiving data from the second device, and a scheduled transfer.
 10. Thesystem as recited in claim 1, further comprising a data protectionserver including the sensitivity determination module, the policydecision module, and the secure migration manager module.
 11. A systemfor accessing a protected data item, comprising: a policy decisionmodule configured to determine a level of confidence that a user of aclient device is an authorized user of the client device to determineeligibility of the user to access the protected data item in response toa request to access the protected data item, wherein the level ofconfidence is based on one or more of a context of the client device, anauthentication history of the client device, and an access history ofthe user of the client device; and an authentication manager moduleconfigured to provide access to the protected data item to the clientdevice in accordance with the level of confidence, such that a level ofconfidence needed to access the protected data item is based upon asensitivity score of the protected data item
 12. The system as recitedin claim 11, wherein the context of the client device includes one ormore of a current location, a location history, a history ofcompromises, an ownership status, an operating system, a version of theoperating system, an application stored on the client device, a patchstatus, suspected malware, and a security status of a network connectedto the client device.
 13. The system as recited in claim 11, wherein thelevel of confidence is based on a context of the user, wherein thecontext of the user includes one or more of a management status, abusiness role, an access history to sensitive data items, a history ofdevice loss, and an access history of the user.
 14. The system asrecited in claim 11, wherein the policy decision module is furtherconfigured to: assign a score to each authentication option; determinean accumulated score by accumulating scores for each authenticationoption provided by the client device; and compare the accumulated scorewith a minimum score needed to access the protected data item.
 15. Thesystem as recited in claim 14, wherein the policy decision module isfurther configured to modify the score for one or more authenticationoptions provided by the client device based on one or more of a contextof the client device at a time of authentication, contexts of the clientdevice since authentication, and an amount of time passed sinceauthentication.
 16. The system as recited in claim 11, wherein thepolicy decision module is configured to request additionalauthentication information from the user based on the level ofconfidence by: providing a list of one or more additional authenticationoptions to the client device such that a set of one or more of theadditional authentication options will make the user eligible to accessthe protected data item; and receiving one or more additionalauthentication options.
 17. The system as recited in claim 11, furthercomprising an authentication challenge module configured to sendauthentication challenges to the client device in accordance with thelevel of confidence.
 18. The system as recited in claim 11, furthercomprising an authentication challenge module configured to requestadditional authentication information by contacting a third party toverify an identity of the user.
 19. The system as recited in claim 15,wherein the authentication manager module is further configured to sendto the client device one or more of a decryption key and obfuscationinversion function corresponding to an appropriate level of redaction ofthe protected data item, wherein the appropriate level of redaction isbased on the access history of the user of the client device and thecontext of the client device.
 20. A system for accessing a protecteddata item, comprising: a policy decision module configured to determinea level of confidence that a user of a mobile device is an authorizeduser of the mobile device to determine eligibility of the user to accessthe protected data item using a data protection server in response to arequest to access the protected data item, wherein the level ofconfidence is based on one or more of a context of the client device, anauthentication history of the client device, and an access history ofthe user of the client device; and an authentication manager moduleconfigured to provide access to the protected data item to the clientdevice using the data protection system in accordance with the level ofconfidence, such that a level of confidence needed to access theprotected data item is based upon sensitivity of the protected dataitem.